Ask Your Question
0

NAT problem on single server install / Can't connect to floating IPs from public internet

asked 2011-03-14 10:36:02 -0500

thielmann gravatar image

I'm running nova bexxar as a single server install on a remote web server (one physical internet connection, 4 public IP addresses. Everything works fine, I'm able to run and use instances (ping, ssh) , but I'm unable to use an associated public IP.

As you can see, I'm using FlatDHCPManager and all instances run with IPs out of the 10.0.1.0/24 network. I used nova-manage to create floating IPs and euca-associate-address to associate them to the instances. There's no sign of an error in the log files.

However, I'm unable to connect via SSH to the associated public IPs. I am able to ping though.

I also tried to figure out which iptables setup nova uses and run them directly, but I couldn't find any error messages. I am however not sure, if I got the commands right.

Any help on how figure out how to assign the additional IPs in the "correct" way would be very much appreciated.

See the attached config files for more information.

#cat /etc/nova/nova.conf --dhcpbridge_flagfile=/etc/nova/nova.conf --dhcpbridge=/usr/bin/nova-dhcpbridge --logdir=/var/log/nova --state_path=/var/lib/nova --verbose --my_ip=89.238.83.54 --daemonize=1 --state_path=/var/lib/nova --sql_connection=mysql://root:QZhUjpeQ@89.238.83.54/nova --s3_host=89.238.83.54 --rabbit_host=89.238.83.54 --cc_host=89.238.83.54 --network_host=192.168.1.60 --verbose --ec2_url=http://89.238.83.54:8773/services/Cloud --network_manager=nova.network.manager.FlatDHCPManager --fixed_range=10.0.0.0/12 --routing_source_ip=89.238.83.54 --flat_network_dhcp_start=10.0.1.2 --flat_injected=False --network_size=10 --public_interface=eth0

#ifconfig br100 Link encap:Ethernet HWaddr fe:16:3e:03:b8:d9 inet addr:10.0.1.1 Bcast:10.0.1.127 Mask:255.255.255.128 inet6 addr: fe80::c8e9:71ff:fec1:310f/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4239 errors:0 dropped:0 overruns:0 frame:0 TX packets:6442 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:511487 (511.4 KB) TX bytes:5823020 (5.8 MB)

eth0 Link encap:Ethernet HWaddr 1c:6f:65:8d:6d:31 inet addr:89.238.83.54 Bcast:89.238.83.255 Mask:255.255.255.0 inet6 addr: fe80::1e6f:65ff:fe8d:6d31/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5274404 errors:0 dropped:0 overruns:0 frame:0 TX packets:5291 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:399808856 (399.8 MB) TX bytes:717974 (717.9 KB) Interrupt:29 Base address:0x8000

lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:10057188 errors:0 dropped:0 overruns:0 frame:0 TX packets:10057188 errors:0 dropped:0 overruns:0 carrier:0 ... (more)

edit retag flag offensive close merge delete
add a comment

6 answers

Sort by ยป oldest newest most voted
0

answered 2011-03-18 09:51:20 -0500

thielmann gravatar image

Thank for your answer, Everett.

I already check IP forwarding, it's set to "1".

edit flag offensive delete link more
add a comment
0

answered 2011-03-14 17:37:13 -0500

vishvananda gravatar image

did you euca-authorize port 22?

euca-authorize -P tcp -p 22 default

On Mar 14, 2011, at 3:36 AM, Markus Thielmann wrote:

New question #149013 on OpenStack Compute (nova): https://answers.launchpad.net/nova/+q...

I'm running nova bexxar as a single server install on a remote web server (one physical internet connection, 4 public IP addresses. Everything works fine, I'm able to run and use instances (ping, ssh) , but I'm unable to use an associated public IP.

As you can see, I'm using FlatDHCPManager and all instances run with IPs out of the 10.0.1.0/24 network. I used nova-manage to create floating IPs and euca-associate-address to associate them to the instances. There's no sign of an error in the log files.

However, I'm unable to connect via SSH to the associated public IPs. I am able to ping though.

I also tried to figure out which iptables setup nova uses and run them directly, but I couldn't find any error messages. I am however not sure, if I got the commands right.

Any help on how figure out how to assign the additional IPs in the "correct" way would be very much appreciated.

See the attached config files for more information.

#cat /etc/nova/nova.conf --dhcpbridge_flagfile=/etc/nova/nova.conf --dhcpbridge=/usr/bin/nova-dhcpbridge --logdir=/var/log/nova --state_path=/var/lib/nova --verbose --my_ip=89.238.83.54 --daemonize=1 --state_path=/var/lib/nova --sql_connection=mysql://root:QZhUjpeQ@89.238.83.54/nova --s3_host=89.238.83.54 --rabbit_host=89.238.83.54 --cc_host=89.238.83.54 --network_host=192.168.1.60 --verbose --ec2_url=http://89.238.83.54:8773/services/Cloud --network_manager=nova.network.manager.FlatDHCPManager --fixed_range=10.0.0.0/12 --routing_source_ip=89.238.83.54 --flat_network_dhcp_start=10.0.1.2 --flat_injected=False --network_size=10 --public_interface=eth0

#ifconfig br100 Link encap:Ethernet HWaddr fe:16:3e:03:b8:d9 inet addr:10.0.1.1 Bcast:10.0.1.127 Mask:255.255.255.128 inet6 addr: fe80::c8e9:71ff:fec1:310f/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4239 errors:0 dropped:0 overruns:0 frame:0 TX packets:6442 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:511487 (511.4 KB) TX bytes:5823020 (5.8 MB)

eth0 Link encap:Ethernet HWaddr 1c:6f:65:8d:6d:31 inet addr:89.238.83.54 Bcast:89.238.83.255 Mask:255.255.255.0 inet6 addr: fe80::1e6f:65ff:fe8d:6d31/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5274404 errors:0 dropped:0 overruns:0 frame:0 TX packets:5291 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:399808856 (399.8 MB) TX bytes:717974 (717.9 KB) Interrupt:29 Base address:0x8000

lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 ...

(more)
edit flag offensive delete link more
add a comment
0

answered 2012-09-20 05:18:22 -0500

amitkhoth gravatar image

#euca-allocate-address
an unknown error has occurred.please try your request again.

i am unable to solve this problem. how can i resolve it?

edit flag offensive delete link more
add a comment
0

answered 2011-03-21 02:40:24 -0500

everett-toews gravatar image

I found out what the problem was in my situation. I had accidentally specified the wrong block of public routable IP addresses for that particular set of machines. As soon as I used the proper block of addresses everything worked fine.

Here's some stuff you can try/check:

Setting up the addresses.

nova-manage floating create my-hostname 68.99.26.170/31 euca-allocate-address 68.99.26.170 euca-associate-address -i i-1 68.99.26.170

Make sure the security groups are open.

root@my-hostname:~# euca-describe-groups GROUP admin-project default default PERMISSION admin-project default ALLOWS icmp -1 -1 FROM CIDR 0.0.0.0/0 PERMISSION admin-project default ALLOWS tcp 22 22 FROM CIDR 0.0.0.0/0

Check the nat rules have been added to iptables.

-A nova-network-OUTPUT -d 68.99.26.170/32 -j DNAT --to-destination 10.0.0.3 -A nova-network-PREROUTING -d 68.99.26.170/32 -j DNAT --to-destination 10.0.0.3 -A nova-network-floating-snat -s 10.0.0.3/32 -j SNAT --to-source 68.99.26.170

Check that 68.99.26.170 has been added to your public interface, which you should see when you type "ip addr".

2: eth0: <broadcast,multicast,up,lower_up> mtu 1500 qdisc mq state UP qlen 1000 link/ether xx:xx:xx:17:4b:c2 brd ff:ff:ff:ff:ff:ff inet 13.22.194.80/24 brd 13.22.194.255 scope global eth0 inet 68.99.26.170/32 scope global eth0 inet6 fe80::82b:2bf:fe1:4b2/64 scope link valid_lft forever preferred_lft forever

You will need to set --public_interface in your nova.conf on the network node so that nova knows where to bind public IP addresses. Don't forget to restart nova-network if you do change nova.conf.

Hope this helps, Everett

P.S. IP and MAC address changed to protect the innocent.

edit flag offensive delete link more
add a comment
0

answered 2011-03-14 18:53:20 -0500

thielmann gravatar image

Thanks for your answer Vish, very much appreciated. Yes, I did authorize for SSH and ICMP, via

#euca-authorize -P icmp -t -1:-1 default #euca-authorize -P tcp -p 22 default

As I said, I'm able to ssh into the instance, as long as I'm using the local IP (10.0.1.x) of the instance. But I'm unable to ssh from outside the host, if I'm using a floating IP.

edit flag offensive delete link more
add a comment
0

answered 2011-03-17 22:21:40 -0500

everett-toews gravatar image

I'm having the exact same problem at the moment. Can't ssh to a publicly routable floating IP from outside the host.

One thing I tried on the host with nova-network running was to enable IP forwarding but it didn't help. Try

sysctl net.ipv4.ip_forward # tells you if IP forwarding is enabled sysctl -w net.ipv4.ip_forward=1 # enable IP forwarding until reboot vim /etc/sysctl.conf # uncomment the line net.ipv4.ip_forward = 1 to enable IP forwarding permanently

Hope it works for you.

Everett

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2011-03-14 10:36:02 -0500

Seen: 59 times

Last updated: Sep 20 '12

Related questions

Security group no effect in r1215

Response code 404 Vs 403 when operation is not allowed

instance_faults table

Failed to add image...

ImportError: No module named distutils.core

Validation on flavor name

Multiple resize problem on XenSever6

Used Quotas are Incorrect

Failed to run instance in second nova-compute node

Ensure the NAT rules have been added to iptables.?